Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• “Customer Personal Data” means personal data that Ripenn processes on behalf of Customer in connection with the Services. This includes account information of Customer's users, audit configuration data, and any personal data contained in prompts Customer submits.
• “Data Protection Laws” means GDPR (Regulation (EU) 2016/679), UK GDPR, PIPEDA, and any other privacy or data protection laws applicable to Ripenn's processing of Customer Personal Data.
• “Data Subject”, “Controller”, “Processor”, “Processing”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given in GDPR.
• “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914, Module Two (controller to processor).
• “UK IDTA” means the International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office.
• “Subprocessor” means any third party engaged by Ripenn to process Customer Personal Data in connection with the Services.

2. Roles and scope

For Customer Personal Data processed under the Services, Customer is the Controller and Ripenn is the Processor. Where Customer is itself a processor for an upstream controller (for example, when Customer processes data on behalf of its own end-clients), Ripenn acts as a subprocessor.

This DPA does not apply to personal data Ripenn collects directly from Customer in its capacity as a controller — for example, billing contacts, the email address used to create a Ripenn account, or marketing communications. Ripenn's processing of that data is governed by the Ripenn Privacy Policy.

3. Subject matter, duration, nature, and purpose of processing

• Subject matter: Provision of the Ripenn AI visibility tracking and Generative Engine Optimization Services as described in Customer's order or subscription.
• Duration: For the term of Customer's subscription, plus any retention period specified in Section 12.
• Nature of processing: Hosting, storing, transmitting, and analyzing Customer Personal Data as required to deliver the Services, including sending prompt content to third-party AI providers as documented in the Data Usage page.
• Purpose: To enable Customer to measure and improve its brand's visibility in AI-generated responses.
• Types of personal data: Customer's user account data (name, email), authentication credentials, IP addresses, and any personal data contained in prompts or content Customer chooses to submit to the Services.
• Categories of data subjects: Customer's authorized users; any individuals whose personal data Customer chooses to include in prompts or content submitted to the Services.

4. Customer instructions

Ripenn will only process Customer Personal Data in accordance with documented instructions from Customer, including with regard to transfers of personal data outside the EEA, UK, or Canada. The following constitute Customer's documented instructions:

• This DPA
• The Ripenn Terms of Service
• The configuration choices Customer makes within the Services (prompt sets, integrations, sharing settings)
• Any additional written instructions agreed between the parties

Ripenn will notify Customer if it believes a Customer instruction infringes Data Protection Laws.

5. Confidentiality

Ripenn ensures that any person it authorizes to process Customer Personal Data is subject to a written confidentiality obligation or a statutory duty of confidentiality. Access to Customer Personal Data is granted only to personnel who need it to perform their work for Ripenn.

6. Security measures

Ripenn implements appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, or disclosure. These measures are described in detail on the Security page and include:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-tenant isolation enforced by row-level security on every table containing customer data
• Authentication via Supabase Auth with HTTP-only secure session cookies and anti-bot protection on sign-in
• Role-based access controls with production access limited to authorized personnel and reviewed quarterly
• Dependency scanning, secret scanning, and code review on all production deployments
• Application error monitoring, infrastructure logging, and authentication event logging
• Automated daily database backups retained for 7 days

Ripenn may update these measures over time. Any updates will maintain or improve the overall security posture and will be reflected on the Security page.

7. Subprocessors

7.1 General authorization

Customer grants Ripenn general authorization to engage subprocessors for the processing of Customer Personal Data, subject to the conditions in this Section 7.

7.2 Current subprocessors

The current list of subprocessors is maintained at ripenn.ai/subprocessors and includes the third party's name, the purpose of the processing, the categories of data processed, and the location of processing.

7.3 Notification of new subprocessors

Ripenn will notify Customer of any intended addition or replacement of a subprocessor that processes Customer Personal Data at least 14 days before the change takes effect. Notification will be made by email to Customer's designated contact and by updating the Subprocessors page.

7.4 Right to object

Customer may object to a new subprocessor on reasonable data protection grounds within 14 days of notification by emailing support@ripenn.ai. If Customer objects, Ripenn will use reasonable efforts to make a change to the Services that avoids the use of the proposed subprocessor for Customer Personal Data. If Ripenn is unable to make such a change within a reasonable period, Customer may terminate the affected portion of the Services with pro-rated refund of prepaid fees for the unused term.

7.5 Subprocessor obligations

Ripenn imposes data protection terms on each subprocessor that are no less protective than those in this DPA. Ripenn remains liable to Customer for the performance of each subprocessor's obligations.

8. International data transfers

Customer Personal Data is processed primarily in the United States (the primary hosting region for Ripenn's infrastructure is AWS us-east-2). For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate by the relevant Supervisory Authority:

• EEA transfers: The Standard Contractual Clauses, Module Two (controller to processor), are incorporated into this DPA by reference and apply to such transfers. The optional clauses are not selected unless agreed in writing. Annex I, II, and III are populated by reference to the operative sections of this DPA and to the Subprocessors page.
• UK transfers: The UK IDTA is incorporated into this DPA by reference and applies to such transfers, with the tables completed by reference to the operative sections of this DPA.
• Swiss transfers: The SCCs apply with the modifications required by the Swiss Federal Data Protection Act.

Where a subprocessor offers additional certifications (Data Privacy Framework, ISO 27001, SOC 2), Ripenn relies on those as supplementary safeguards.

9. Data subject rights

9.1 Assistance to Customer

Taking into account the nature of the processing, Ripenn will provide reasonable assistance to Customer in fulfilling its obligation to respond to requests from data subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection, withdrawal of consent).

9.2 Requests received directly

If Ripenn receives a request from a data subject relating to Customer Personal Data, Ripenn will, unless prohibited by law, promptly forward the request to Customer and will not respond to the data subject directly except to confirm receipt and refer the data subject to Customer.

10. Personal data breaches

10.1 Notification

Ripenn will notify Customer without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

10.2 Information provided

To the extent the information is known, the notification will include:

• The nature of the breach, including the categories and approximate number of data subjects and records affected
• The likely consequences of the breach
• The measures Ripenn has taken or proposes to take to address the breach and mitigate its effects

Where complete information is not available within 72 hours, Ripenn will provide initial notification with available facts and supplement with further information as it becomes available.

10.3 Cooperation

Ripenn will reasonably cooperate with Customer in investigating, mitigating, and remediating any Personal Data Breach, and will assist Customer in fulfilling its own breach notification obligations to Supervisory Authorities and data subjects.

11. Audits

11.1 Right to audit

Customer has the right to audit Ripenn's compliance with this DPA. Ripenn will satisfy this right primarily by providing:

• Responses to reasonable security questionnaires (one questionnaire per Customer per calendar year, of reasonable scope)
• The most recent versions of relevant security and architecture documentation (the Security page, Subprocessors page, and Data Usage page constitute Ripenn's published baseline)
• Independent third-party audit reports if and when available (Ripenn has not completed a SOC 2 or ISO 27001 audit as of the date of this DPA; see the Trust page for current status)

11.2 On-site audits

If the materials in Section 11.1 are insufficient to demonstrate compliance, Customer may request an on-site audit, subject to:

• No more than once per 12-month period (more frequently if required by a Supervisory Authority)
• At least 30 days' advance written notice
• Performance during business hours and in a manner that does not unreasonably interfere with Ripenn's operations
• A written confidentiality agreement covering all information accessed
• Customer bears its own costs and reasonable Ripenn costs for the audit

12. Return or deletion of data

Upon termination of the Services or at Customer's written request, Ripenn will, at Customer's choice, return or delete all Customer Personal Data in its possession, subject to:

• A reasonable wind-down period during which Customer can export its own data through the Services
• Retention required by applicable law, in which case Ripenn will continue to protect the data in accordance with this DPA
• Database backup copies, which age out within the 7-day backup retention window described on the Security page

Ripenn will provide written confirmation of deletion upon request.

13. Liability

The limitations of liability set out in the underlying agreement between Customer and Ripenn apply to this DPA. Nothing in this DPA limits any liability that cannot be limited under applicable law.

14. Conflicts and order of precedence

In the event of any conflict between this DPA and the underlying agreement, this DPA prevails with respect to the processing of Customer Personal Data. In the event of any conflict between this DPA and the SCCs or UK IDTA, the SCCs or UK IDTA prevail.

15. Changes to this DPA

Ripenn may update this DPA from time to time to reflect changes in the Services, Data Protection Laws, or industry practice. Material changes affecting Customer's rights or Ripenn's obligations under this DPA will be communicated to Customer by email at least 30 days before they take effect. The “Last updated” date at the top of this DPA reflects the most recent change.

16. Governing law and jurisdiction

This DPA is governed by the laws of the Province of Ontario, Canada, and the federal laws of Canada applicable therein, except where Data Protection Laws require a different governing law (in which case the relevant Data Protection Law governs the interpretation of its own provisions).

17. Contact

For any matter relating to this DPA, including requests for countersignature, breach notifications received by Customer, or audit requests, contact:

GenerativeModels Inc.
Attn: Privacy
Toronto, Ontario, Canada
Email: support@ripenn.ai

Annex I — Description of processing

This Annex I corresponds to Annex I of the Standard Contractual Clauses and is populated by reference to Sections 2, 3, and 7 of this DPA, and to the Subprocessors page at ripenn.ai/subprocessors.

A. List of parties

• Data exporter (Controller): the Customer, as identified in the underlying agreement and in any countersigned execution copy of this DPA.
• Data importer (Processor): GenerativeModels Inc., a Canadian corporation operating Ripenn, with its registered address in Toronto, Ontario, Canada.

B. Description of transfer

Categories of data subjects, categories of personal data, frequency, nature, purpose, period of retention, and recipients: as described in Section 3 of this DPA and on the Subprocessors page.

C. Competent supervisory authority

• For EEA transfers: the Supervisory Authority of the EU member state in which the Customer (as data exporter) is established, or, if the Customer is not established in the EEA, the Supervisory Authority designated under GDPR Article 27.
• For UK transfers: the UK Information Commissioner's Office.

Annex II — Technical and organizational measures

The technical and organizational measures Ripenn implements are described on the Security page, which is incorporated by reference into this Annex II. The Security page is updated as Ripenn's controls evolve; the version of the Security page in effect on the date a Personal Data Breach occurs governs the measures applicable to that breach.

Annex III — Subprocessors

The list of authorized subprocessors is maintained at ripenn.ai/subprocessors and is incorporated by reference into this Annex III.

This document is a template intended for public review. A countersigned copy executed in the name of a specific Customer is available on request to support@ripenn.ai.